Ransomware, Cyberattacks, and Hacking in the Health Care Industry: Lessons from a Letter to the FBI

The last several weeks have brought a host of alarming revelations regarding the vulnerability of some of the most confidential data that corporations and legal entities maintain on their servers. Most notably, the story of the so-called “Panama Papers” continues to attract substantial media attention, as the theft of approximately 2.6 terabytes of data from the Panamaian law firm Mossack Fonseca, and its disclosure to the International Consortium of Investigative Journalists, has already caused the resignation of one international leader and threaten the fates of several more. Perhaps less provocative, but no less significant, is a recent Wall Street Journalarticle reporting that hackers illegally accessed the computer networks at some of the most respected and prestigious law firms in the United States, apparently for the purpose of stealing confidential information that in turn can facilitate insider trading.

It should not be surprising that entities in the legal industry face these sorts of attacks, given the importance of the information they maintain. Somewhat less obvious, though, is the extent to which entities in the health care field also face a demonstrated risk of data theft at the hands of hackers seeking financial gain. In fact, although medical information about celebrity patients may be enticing to hackers, the information that hospitals maintain is typically not the sort that can generate newspaper headlines or lead to profitable insider trading. Yet, whether due to a desire on the part of hackers to steal information such as social security numbers or Medicare provider credentials, or to extort a ransom by locking health care providers out of critical patient information, the threat is still very real. In fact, on April 8, 2016, Senator Barbara Boxer (D-CA) sent a letter to FBI Director James Comey that rightfully brings heightened attention to the issue of data integrity and electronic theft in the health care industry.

In her letter to Director Comey, Senator Boxer begins by referring to “recent ransomware attacks on hospitals in California and across the United States,” and mentions by name the recent attacks on MedStar Health in Washington, DC (a $5 billion health care provider that reportedly lost access to its records database and turned away patients as a result of a recent cyberattack); the Alvarado Medical Center in San Diego, California (a 306-bed hospital facility that confirmed it had been the victim of what it termed a “malware disruption”); and the Hollywood Presbyterian Medical Center in Los Angeles, California (which, in February 2016, paid a ransom of 40 bitcoins – about $17,000 – to re-obtain access to its computer system after malware blocked access the hospital’s electronic medical files regarding the patients it was treating). In her letter, Senator Boxer next goes on to express the concern that “by paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks” – which, of course, is a genuine and principled issue, albeit one that does not take into account the profound and painful dilemmas that hospital administrators undoubtedly face when urgently attempting, in good faith, to maintain hospital functions and provide essential and safe treatment to patients who otherwise would bear the dangerous brunt of a hostile ransomware attack. Finally, Senator Boxer requests in her letter that Director Comey respond by describing not only the steps that the FBI is taking to investigate these crimes, but also “what steps . . . hospitals and other businesses can take to protect themselves both prior to and following a ransomware attack.”

While it remains to be seen whether and to what extent Director Comey responds to Senator Boxer’s inquiry, several observations are warranted. The first is the extent to which Senator Boxer’s letter recognizes, at least implicitly, that when it comes to cybersecurity, even some of the largest and most prominent corporations and institutions in the United States simply cannot keep up. In particular, by asking the FBI to give hospitals and other businesses advice about what they can do to deal with and prevent malware attacks, there is the recognition that these entities are at a significant disadvantage when it comes to defending against and preventing intrusions from sophisticated international hackers. And while the upper hand that hackers have against corporate America may seem obvious – especially in light of the well-publicized revelation that even the FBI had to hire a hacker when it could not itself break into (or convince Apple to help it break into) the iPhone of the San Bernardino terrorism suspects – the fact that Senator Boxer acknowledges the issue in her letter can provide hospitals, smaller medical providers, and other entities that promptly report any data breaches, but still find themselves on the receiving end of penalties or lawsuits arising from the involuntary disclosure of HIPAA-protected information, with valuable arguments in their defense.

A second valuable aspect of Senator Boxer’s letter is that, if hospitals or medical providers conduct their own inquiries into the issues that the letter raises, they will find that the federal government has already provided the health care industry with substantial guidance regarding cybersecurity concerns. Indeed, while one may reasonably expect that Director Comey will respond in some detail to Senator Boxer’s letter, the federal government can readily point to the guidance contained in a webpage that the Department of Homeland Security already maintains regarding Cybersecurity issues, or to a range of webpages that the United States Computer Emergency Readiness Team (“US-CERT”, which is a branch of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center) provides in order to “improve the Nation’s cybersecurity posture.” Additionally, on March 31, 2016 – approximately eight days before Senator Boxer’s letter was transmitted – US CERT issued an alert entitled “Ransomware and Recent Variants,” which notes the destructive and growing use of ransomware against hospitals and healthcare companies. The alert further recommends seven specific preventive measures that should be taken to help protect against ransomware attacks and computer intrusions not just in the health care industry, but in the corporate world more generally.

Finally, although Senator Boxer’s letter inquires primarily about the steps that can be taken to prevent malicious computer attacks in the health care arena, those who represent the interests of health care entities should also consider a resource that has been the subject of recent litigation – namely, insurance policies that include coverage for cybersecurity issues. According to a 2015 report conducted by the Association of Corporation Counsel (“ACC”), about half of all General Counsel and Chief Legal Officers indicated that their company has cybersecurity insurance, and the Department of Homeland Security maintains a webpage that describes cybersecurity insurance, the benefits it provides, and the reasons why companies have tended to forego the types of policies that are currently in the marketplace. To be sure, cybersecurity insurance policies are not a cure-all, and the ACC reports that, of the in-house counsel whose companies have cybersecurity insurance and experienced a breach, only 19% said that the policy fully covered the resulting damages. But of course, policy language is critical, as a recent case from the Fourth Circuit reflects. In an unpublished opinion that affirmed the district court’s decision in a dispute between Travelers Insurance and a company that provides security for electronic medical records, the Fourth Circuit rejected the insurer’s attempt to limit the scope of its duty to defend against litigation arising from the release of protected health care information. In particular, the court of appeals held that a lawsuit arising from the unauthorized release of patient information can trigger an insurer’s duty to defend the insured against the “publication” of patient data, even if the insured cannot show that the data was actually accessed by others, and even if the insurer’s obligations do not extend to indemnifying or paying a judgment against the insured. Given the many painful consequences that can arise from a data security breach in the health care industry, insurance policies can thus provide a valuable supplement to the types of preventative measures about which Senator Boxer has directed her well-warranted concerns.